Crypto Currency Runtime
This finding indicates that a container tried to do a crypto mining inside a Pod.
To simulate the finding we'll be running a ubuntu
image Pod in the default
namespace and from there run a couple of commands to simulate downloading a crypto mining process.
Run the below command to start the Pod:
Next we can use kubectl exec
to run a series of commands inside the Pod. First lets install the curl
utility:
Next lets download the crypto mining process but dump the output to /dev/null
:
These commands will trigger three different findings in the GuardDuty Findings console.
The first one is Execution:Runtime/NewBinaryExecuted
which is related to the curl
package installed via the APT tool.
Take a closer look to the details of this finding, which because they are related to the GuardDuty runtime monitoring show specific information regarding the runtime, context, and processes.
The second and third ones are related to CryptoCurrency:Runtime/BitcoinTool.B!DNS
findings. Notice again that the finding details brings different information, this time showing the DNS_REQUEST
action, and the Threat intelligence Evidences.